As public authorities, West Australian local governments have to balance the tension between public expectations of transparency and security.
Legislative and regulatory commitments, as well as public expectations, see LGIS members publicly publishing information such as creditor details including names, addresses, emails, EOIs and respondents, and contract appointments.
It’s important that local governments – officers and councillors – recognise that commitment to transparency also increases vulnerabilities to social engineering attacks.
Training your people is a key element of your WHS responsibilities and LGIS has developed a suite of workshops to address common issues within local governments.
Mental health issues are increasingly prevalent throughout organisations; 1 in 5 Australians are
diagnosed with a mental health condition every year (such as depression, anxiety and substance use).
A WA regional local government recently fell victim to a social engineering fraud scheme leading to a financial loss of over $1 million. An employee received a phishing email, which looked like it was from one of their service providers. Opening a document attached to the said email subsequently gave the hackers access to their supplier list. The hackers then deceived those staff members to make changes to the payment information for a supplier within the financial system to a nonlegitimate bank account.
In one of the emails the scammers, impersonating a member of the finance team, said that they had already verified the new account details of the supplier and requested this change.
There was a series of automatic email conversations between the two employees over change of supplier’s account details, which were never received by the owner of the hacked email address.
Attackers had created several rules in the email settings through which all emails received from another employee were marked as read and sent to RSS subscriptions folder. It was a routine check of risky sign logs conducted by the local government’s authorised cyber-security supplier which noticed unauthorised logins from another country.
The request to change account details was not verified outside of the email conversation.
The local government relied on email conversations because the employees were not in the office together, and worked remotely.
It is important to note here that the banking institution did inform the local government member before processing the amount to the new bank account; however they permitted the transaction considering that, in their view, the new bank details were completely genuine. Following that the payment was made into the scammers account.
The local government discovered that they had been compromised when the legitimate supplier contacted them following up payment of invoices. The local government then discovered that payment for two legitimate invoices had been made to the wrong account.
For support on improving your local government’s cyber-security practices, contact the LGIS risk team.
It was April 2022 when the LGIS injury prevention team visited Craigie Leisure Centre (CLC) to review the Kindy Gym program.